forked from Velocidex/velociraptor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess.go
executable file
·120 lines (96 loc) · 3.21 KB
/
process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// +build !windows
/*
Velociraptor - Dig Deeper
Copyright (C) 2019-2022 Rapid7 Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
// This module is built on gopsutils but this is too slow and
// inefficient. Eventually we will remove it from the codebase.
package vql
import (
"context"
"github.com/Velocidex/ordereddict"
"github.com/shirou/gopsutil/v3/process"
"www.velocidex.com/golang/velociraptor/acls"
"www.velocidex.com/golang/vfilter"
"www.velocidex.com/golang/vfilter/arg_parser"
)
type PslistArgs struct {
Pid int64 `vfilter:"optional,field=pid,doc=A pid to list. If this is provided we are able to operate much faster by only opening a single process."`
}
func init() {
RegisterPlugin(vfilter.GenericListPlugin{
PluginName: "pslist",
Metadata: VQLMetadata().Permissions(acls.MACHINE_STATE).Build(),
Function: func(
ctx context.Context,
scope vfilter.Scope,
args *ordereddict.Dict) []vfilter.Row {
var result []vfilter.Row
err := CheckAccess(scope, acls.MACHINE_STATE)
if err != nil {
scope.Log("pslist: %s", err)
return result
}
arg := &PslistArgs{}
err = arg_parser.ExtractArgsWithContext(ctx, scope, args, arg)
if err != nil {
scope.Log("pslist: %s", err.Error())
return result
}
// If the user asked for one process
// just return that one.
if arg.Pid != 0 {
process_obj, err := process.NewProcess(int32(arg.Pid))
if err == nil {
result = append(result, getProcessData(process_obj))
}
return result
}
processes, err := process.Processes()
if err == nil {
for _, item := range processes {
result = append(result, getProcessData(item))
}
}
return result
},
ArgType: &PslistArgs{},
Doc: "List processes",
})
}
// Only get a few fields from the process object otherwise we will
// spend too much time calling into virtual methods.
func getProcessData(process *process.Process) *ordereddict.Dict {
result := ordereddict.NewDict().SetCaseInsensitive().
Set("Pid", process.Pid)
name, _ := process.Name()
result.Set("Name", name)
ppid, _ := process.Ppid()
result.Set("Ppid", ppid)
// Make it compatible with the Windows pslist()
cmdline, _ := process.Cmdline()
result.Set("CommandLine", cmdline)
create_time, _ := process.CreateTime()
result.Set("CreateTime", create_time)
times, _ := process.Times()
result.Set("Times", times)
exe, _ := process.Exe()
result.Set("Exe", exe)
cwd, _ := process.Cwd()
result.Set("Cwd", cwd)
user, _ := process.Username()
result.Set("Username", user)
memory_info, _ := process.MemoryInfo()
result.Set("MemoryInfo", memory_info)
return result
}